V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m7s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m7s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -125,8 +125,16 @@ dropbear:
|
||||
|
||||
################################################################################################################################
|
||||
# Grub Bootparameter
|
||||
# https://docs.kernel.org/admin-guide/kernel-parameters.html
|
||||
################################################################################################################################
|
||||
grub_parameter:
|
||||
##############################################################################################################################
|
||||
# [ USB ] Default USB device authorization:
|
||||
# default -1 = authorized (same as 1)
|
||||
# 0 = not authorized, 1 = authorized, 2 = authorized if a device connected to an internal port.
|
||||
##############################################################################################################################
|
||||
- usbcore.authorized_default=0
|
||||
|
||||
##############################################################################################################################
|
||||
# Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go
|
||||
# undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
|
||||
@@ -644,6 +652,11 @@ software:
|
||||
# chrony
|
||||
#
|
||||
##############################################################################################################################
|
||||
### Installed by 4160_installation_lynis.sh
|
||||
##############################################################################################################################
|
||||
# lynis
|
||||
#
|
||||
##############################################################################################################################
|
||||
### Installed by 4220_installation_cryptsetup.sh
|
||||
##############################################################################################################################
|
||||
# cryptsetup
|
||||
@@ -848,7 +861,7 @@ user:
|
||||
access:
|
||||
ssh: true # Allow SSH access.
|
||||
tty: true # Allow TTY (local console) login.
|
||||
password: false # Allow password login. SSH password login is always disabled.
|
||||
password: true # Allow password login. SSH password login is always disabled.
|
||||
2fa:
|
||||
ssh: true # Require 2FA for SSH access.
|
||||
tty: true # Require 2FA for TTY (local console) login.
|
||||
@@ -869,9 +882,9 @@ user:
|
||||
fullname: "ansible" # The full name of the user account holder.
|
||||
uid: 137 # Ensures that the same user has the same UID on all systems.
|
||||
gid: 137 # Ensures that the same user has the same GID on all systems.
|
||||
shell: /usr/sbin/nologin # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
|
||||
password: "" # No password set for ansible user
|
||||
sshpubkey: ""
|
||||
shell: /bin/bash # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
|
||||
password: "" # No password set for ansible user.
|
||||
sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
authentication:
|
||||
access:
|
||||
ssh: true # Allow SSH access.
|
||||
@@ -881,10 +894,10 @@ user:
|
||||
ssh: false # Require 2FA for SSH access.
|
||||
tty: false # Require 2FA for TTY (local console) login.
|
||||
privileges:
|
||||
description: "Automation user without interactive shell and no sudo."
|
||||
description: "Ansible automation user with sudo, key-only SSH, no TTY."
|
||||
sudo: true # Whether the user can escalate to root using sudo.
|
||||
system: true # Whether this is a low-UID system user (e.g., for automation).
|
||||
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
shell: false # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
shell: true # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
|
||||
Reference in New Issue
Block a user